Lernkarten

Karten 17 Karten
Lernende 1 Lernende
Sprache English
Stufe Universität
Erstellt / Aktualisiert 25.06.2019 / 04.07.2019
Lizenzierung Keine Angabe
Weblink
Einbinden
0 Exakte Antworten 17 Text Antworten 0 Multiple Choice Antworten
Fenster schliessen

What happens in user space and kernel space when a network packet is sent? (slow)

Send a network packet, slow:

  • Userspce process create buffer with data (e.g. A HTTP request)
  • Syscall to kernel with address of buffer
  • Kernel copies userspace buffer to kernel space
  • Kernel splits and manages buffer (split into MTU size, add TCP/IP/Ethernet header etc.) to create network packets
  • Kernel copies network packets to special address mapped to NIC RAM
  • Kernel <<syscall> NIC (network interface card) with buffer address (in ther RAM)
  • NIC sends it over the wire (via local RAM)
Fenster schliessen

What happens in userspace and kernelspace when a network packet is sent? (fast)

Send a network packet, fast:
▪Userspace process create buffer with data (e.g. A HTTP request)

▪Syscall to kernel

▪Kernel copies maps userspace buffer to kernel space

▪Kernel splits and manages buffer (split into MTU, add TCP/IP/Ethernet header etc.) to create network packets

▪Kernel «syscalls» NIC (network interface card) with network packet physical address ▪Buffer gets copied to NIC (NIC’s RAM)
▪NIC sends packet at physical address it over the wire (via DMA)

Fenster schliessen

What is the new hardware layout of CPU, RAM, MCH / Nortbridge / Memory Controler, ICH / Soutbrige / NIC?

Lizenzierung: Keine Angabe
Fenster schliessen

Where is the Kernal Logical Addresse maped to in physical memory?

Lizenzierung: Keine Angabe
Fenster schliessen

What is Logical Addressing, Virtual / Linear Addressing / Physical Addressing?

Logical Addressing:

  • Base + Offset
  • Linear Address Space
  • Address mapps directly to some hardware address, via offset

Virtual / Linear Addressing:

  • Addresses are contigous, but not lnear (page table mapping)

Physical Addressing:

  • the catual address of the main memory
Fenster schliessen

What techniques can you use to exploit the kernel and what is done once Remote Code Execution is achieved?

Techniques are the same as in userspace:

  • Stack based buffer overflow
  • Heap based buffer overflow (slab allocator)
  • Racing conditions
  • NULL/userspace dereference bugs
  • Logical bugs

After geting RCE (Remote Code Execution):

  • Patch syscall table
  • Or find our shell process and set uid to 0
  • Disable SELinux
Fenster schliessen

What is the attack surface of a remote kernel exploit?

Attack Surface:

  • TCP/IP Stack
  • IPSec
  • Drivers: Buetooth / Wifi or similar
  • Whatever else is in Kernelspace, and reachable via Network / Signals
Fenster schliessen

What mitigations against kernel exploits are there?

  • kASLR
    • Available, but disabled by default (hibernation problems)
  • DEP
    • Default
    • CONFIG_DEBUG_RODATA
    • But some pages are W & X
      • Because of X86 (BIOS etc...)
      • Therefor, not so useful
  • The usual compile time stuff (but in hard)
    • Stack canaries (default)
    • Fortify source (default)
    • Randstruct
      • Randomizes order of struct entries (per build)
  • SMEP
    • Prevents Execution of userpace code in kernalspace (ret2usr)
    • Needs CPU support: Ivy Bridge ++
    • Enabled by default in modern distribuitions
    • Workaround: In-kernel ROP
    • cat / proc / cpuinfo | grep smep
  • SMAP
    • Deny kenal direct Access to userspace memory
    • Needs CPU support Broadwell ++
    • Enabled by default in modern distributions